User: Password:
Subscribe / Log in / New account


Biometrics for identification

By Jake Edge
April 2, 2008

Using a fingerprint or other physical characteristic, called biometric data, for identity verification seems, at first glance, like a perfect solution to the problem. Unfortunately, there are some basic problems with using biometric information that way. If the biometric data can be gathered by others, it no longer makes such a good identifier.

As part of a political protest against including fingerprints in passports, the Chaos Computer Club (CCC) published a fingerprint of German Home Secretary Wolfgang Schäuble. Schäuble is a supporter of collecting fingerprint data to combat terrorism. The club not only published the picture, but also a film that can be placed over a finger to deceive fingerprint scanners. A club spokesman has usage recommendations as reported in heise online:

We recommend that you use the film whenever your fingerprint is taken, such as when you enter the US, stop over at Heathrow, or even when you touch bottles at your local super market -- just to be on the safe side

It seems unlikely that CCC's distributed finger film will actually leave the Secretary's print on a glass surface, but more sophisticated versions of the same basic idea should be able to. Various folks have shown that using an image of someone's fingerprint can fool most scanners. Even sophisticated scanners can be spoofed when that image is placed over a live finger—with body temperature and pulse. The problem is that while a fingerprint is unique, it isn't secret. CCC got theirs from a sympathizer who picked it up from a glass used by the Secretary during a speech.

Bruce Schneier is, as usual, ahead of the curve on this. In an article from nearly ten years ago, he drives home the point:

The moral is that biometrics work great only if the verifier can verify two things: one, that the biometric came from the person at the time of verification, and two, that the biometric matches the master biometric on file. If the system can't do that, it can't work. Biometrics are unique identifiers, but they are not secrets. (Repeat that sentence until it sinks in.)

Other forms of biometric identification exist, but are susceptible to the same kinds of problems. A voiceprint or facial identification scanner could be fairly easily subverted by secretly recording or photographing the subject. Retinal scans are trickier, perhaps, but technology to remotely (and surreptitiously) read them will probably come along. In many cases, an attacker may not even need to go to that amount of trouble because they can just extract—or pay to have someone else extract—that information from some database.

More and more of this kind of information is being gathered and centralized. The US has started fingerprinting all ten fingers of non-citizens who enter the country—other countries have started doing it in retaliation. One could hope the data retention policy for that information is similar to that of White House emails, but it is probably longer. Worse yet, it is probably stored with photographs, passport information, and signature of the subject.

The key to using biometrics correctly is to repeat the Schneier mantra:

Biometrics are powerful and useful, but they are not keys. They are useful in situations where there is a trusted path from the reader to the verifier; in those cases all you need is a unique identifier. They are not useful when you need the characteristics of a key: secrecy, randomness, the ability to update or destroy. Biometrics are unique identifiers, but they are not secrets.

Revocation of a biometric identifier is difficult or impossible—if it is even known to be compromised. One could potentially switch fingers for fingerprint identification, or even switch eyes—once. Switching voiceprint, face, or DNA if and when that gets used, will be essentially impossible. Biometrics suffer from the same failure mode as using the same password everywhere, unless you can somehow use a different characteristic for each biometrically "protected" dataset—hard to do with limited body parts.

Biometric data does have its uses, but it has limitations as well. It seems seductively simple that your fingerprint is the same as you, but it isn't necessarily true. Now we just need to teach the politicians, which might be something that Schäuble is starting to learn.

Comments (34 posted)

New vulnerabilities

capp-lspp-config: privilege escalation

Package(s):lspp-eal4-config-ibm, capp-lspp-eal4-config-hp CVE #(s):CVE-2008-0884
Created:April 1, 2008 Updated:April 2, 2008
Description: The lspp-eal4-config-ibm and capp-lspp-eal4-config-hp packages contain utilities and documentation for configuring a machine for the Controlled Access Protection Profile, or the Labeled Security Protection Profile.

It was discovered that use of the "capp-lspp-config" script results in the "/etc/pam.d/system-auth" file being set to world-writable. Authorized local users who have limited privileges could then exploit this to gain additional access, or to escalate their privileges.

Red Hat RHSA-2008:0193-02 lspp-eal4-config-ibm, capp-lspp-eal4-config-hp 2008-04-01

Comments (2 posted)

centerim: command injection

Package(s):centerim CVE #(s):CVE-2008-1467
Created:April 2, 2008 Updated:April 2, 2008
Description: The centerim instant messaging interface passes unescaped URLs to the shell, allowing the injection of arbitrary commands.
Fedora FEDORA-2008-2869 centerim 2008-04-01
Fedora FEDORA-2008-2867 centerim 2008-04-01

Comments (none posted)

cups: buffer overflows

Package(s):cups CVE #(s):CVE-2008-0053 CVE-2008-1373
Created:April 1, 2008 Updated:October 16, 2008
Description: Two overflows were discovered in the HP-GL/2-to-PostScript filter. An attacker could create a malicious HP-GL/2 file that could possibly execute arbitrary code as the "lp" user if the file is printed. A buffer overflow flaw was discovered in the GIF decoding routines used by CUPS image converting filters "imagetops" and "imagetoraster". An attacker could create a malicious GIF file that could possibly execute arbitrary code as the "lp" user if the file was printed.
Fedora FEDORA-2008-8844 cups 2008-10-16
Fedora FEDORA-2008-8801 cups 2008-10-16
Debian DSA-1625-1 cupsys 2008-08-01
Fedora FEDORA-2008-2131 cups 2008-04-08
Fedora FEDORA-2008-2897 cups 2008-04-08
rPath rPSA-2008-0136-1 cups 2008-04-04
SuSE SUSE-SA:2008:020 cups 2008-04-04
Ubuntu USN-598-1 cupsys 2008-04-02
Slackware SSA:2008-094-01 cups 2008-04-03
Mandriva MDVSA-2008:081 cups 2007-04-02
Gentoo 200804-01 cups 2008-04-01
Red Hat RHSA-2008:0206-01 cups 2008-04-01
Red Hat RHSA-2008:0192-01 cups 2008-04-01

Comments (none posted)

cups: multiple vulnerabilities

Package(s):cups CVE #(s):CVE-2008-1374 CVE-2004-0888 CVE-2005-0206
Created:April 1, 2008 Updated:August 6, 2008
Description: Multiple integer overflows in xpdf 2.0 and 3.0, and other packages that use xpdf code such as CUPS, gpdf, and kdegraphics, allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code. An attacker could create a malicious PDF file that could possibly execute arbitrary code as the "lp" user if the file was printed. The patch for integer overflow vulnerabilities in Xpdf 2.0 and 3.0 (CVE-2004-0888) is incomplete for 64-bit architectures on certain Linux distributions such as Red Hat, which could leave Xpdf users exposed to the original vulnerabilities.
rPath rPSA-2008-0245-1 cups 2008-08-05
Red Hat RHSA-2008:0206-01 cups 2008-04-01

Comments (none posted)

gnome-screensaver: information disclosure

Package(s):gnome-screensaver CVE #(s):CVE-2007-6389
Created:April 2, 2008 Updated:November 12, 2008
Description: The gnome-screensaver "leave message" feature can be used to read the contents of the user's clipboard, potentially disclosing useful information.
Ubuntu USN-669-1 gnome-screensaver 2008-11-11
SuSE SUSE-SR:2008:017 powerdns, dnsmasq, python, mailman, ruby, Opera, neon, rxvt-unicode, perl, wireshark, namazu, gnome-screensaver, mysql 2008-08-29
SuSE SUSE-SA:2008:041 openwsman 2008-08-14
Mandriva MDVSA-2008:135 gnome-screensaver 2008-07-04
Fedora FEDORA-2008-3017 gnome-screensaver 2008-04-08
Fedora FEDORA-2008-2967 gnome-screensaver 2008-04-08
Fedora FEDORA-2008-2872 gnome-screensaver 2008-04-01
Fedora FEDORA-2008-2818 gnome-screensaver 2008-04-01

Comments (none posted)

gnome-screensaver: lock bypass

Package(s):gnome-screensaver CVE #(s):CVE-2008-0887
Created:April 2, 2008 Updated:November 12, 2008
Description: From the Red Hat advisory: A flaw was found in the way gnome-screensaver verified user passwords. When a system used a remote directory service for login credentials, a local attacker able to cause a network outage could cause gnome-screensaver to crash, unlocking the screen.
Ubuntu USN-669-1 gnome-screensaver 2008-11-11
Mandriva MDVSA-2008:132 gnome-screensaver 2008-07-04
SuSE SUSE-SR:2008:014 sudo, courier-authlib, gnome-screensaver, clamav, php5, ImageMagick, GraphicsMagick, mtr, bind, pcre, tomcat, squid, freetype2 2008-07-04
Gentoo 200804-12 gnome-screensaver 2008-04-11
Fedora FEDORA-2008-3017 gnome-screensaver 2008-04-08
Fedora FEDORA-2008-2967 gnome-screensaver 2008-04-08
Red Hat RHSA-2008:0218-01 gnome-screensaver 2008-04-03
Red Hat RHSA-2008:0197-01 gnome-screensaver 2008-04-02

Comments (none posted)

lighttpd: denial of service

Package(s):lighttpd CVE #(s):CVE-2008-1531
Created:April 1, 2008 Updated:May 19, 2008
Description: lighttpd 1.4.19 and earlier allows remote attackers to cause a denial of service (active SSL connection loss) by triggering an SSL error, such as disconnecting before a download has finished, which causes all active SSL connections to be lost.
Fedora FEDORA-2008-4119 lighttpd 2008-05-17
SuSE SUSE-SR:2008:011 rsync, MozillaFirefox, poppler, nagios, lighttpd, sarg, squid, bzip2, kdelibs3, texlive-bin, kdelibs4, Sun Java 2008-05-09
Fedora FEDORA-2008-3343 lighttpd 2008-04-29
Fedora FEDORA-2008-3376 lighttpd 2008-04-29
Debian DSA-1540-2 lighttpd 2008-04-15
Gentoo 200804-08 lighttpd 2008-04-10
Debian DSA-1540-1 lighttpd 2008-04-07
rPath rPSA-2008-0132-1 lighttpd 2008-03-31

Comments (none posted)

mod_suphp: symlink vulnerabilities

Package(s):mod_suphp CVE #(s):
Created:April 2, 2008 Updated:April 2, 2008
Description: mod_suphp 0.6.2 contains two symbolic link vulnerabilities which can be exploited to create a privilege escalation attack.
Fedora FEDORA-2008-2868 mod_suphp 2008-04-01
Fedora FEDORA-2008-2815 mod_suphp 2008-04-01

Comments (none posted)

phpMyAdmin: information disclosure

Package(s):phpMyAdmin CVE #(s):CVE-2008-1567
Created:April 2, 2008 Updated:February 2, 2009
Description: phpMyAdmin saves MySQL username and password information in (potentially unprotected) session data.
SuSE SUSE-SR:2008:026 libxml2, phpMyAdmin, lighttpd, OpenOffice_org, imp, clamav, acroread, htop, cups 2008-11-24
SuSE SUSE-SR:2009:003 boinc-client, xrdp, phpMyAdmin, libnasl, moodle, net-snmp, audiofile, xterm, amarok, libpng, sudo, avahi 2009-02-02
Mandriva MDVSA-2008:131 phpMyAdmin 2008-07-04
Debian DSA-1557-1 phpmyadmin 2008-04-24
Fedora FEDORA-2008-2874 phpMyAdmin 2008-04-01
Fedora FEDORA-2008-2825 phpMyAdmin 2008-04-01

Comments (none posted)

policyd-weight: insecure temp file

Package(s):policyd-weight CVE #(s):CVE-2008-1569
Created:March 27, 2008 Updated:April 11, 2008
Description: From the Debian alert: Chris Howells discovered that policyd-weight, a policy daemon for the Postfix mail transport agent, created its socket in an insecure way, which may be exploited to overwrite or remove arbitrary files from the local system.
Gentoo 200804-11 policyd-weight 2008-04-11
Debian DSA-1531-2 policyd-weight 2008-03-29
Debian DSA-1531-1 policyd-weight 2008-03-27

Comments (none posted)

tomcat: insecure ciphers

Package(s):tomcat CVE #(s):CVE-2007-1858
Created:March 28, 2008 Updated:April 2, 2008
Description: The default SSL cipher configuration in Apache Tomcat 4.1.28 through 4.1.31, 5.0.0 through 5.0.30, and 5.5.0 through 5.5.17 uses certain insecure ciphers, including the anonymous cipher, which allows remote attackers to obtain sensitive information or have other, unspecified impacts.
SuSE SUSE-SR:2008:007 unzip, tomcat, moodle, xine 2008-03-28

Comments (none posted)

xine-lib: multiple integer overflows

Package(s):xine CVE #(s):CVE-2008-1482
Created:April 1, 2008 Updated:September 10, 2008
Description: Multiple integer overflows in xine-lib 1.1.11 and earlier allow remote attackers to trigger heap-based buffer overflows and possibly execute arbitrary code via (1) a crafted .FLV file, which triggers an overflow in demuxers/demux_flv.c; (2) a crafted .MOV file, which triggers an overflow in demuxers/demux_qt.c; (3) a crafted .RM file, which triggers an overflow in demuxers/demux_real.c; (4) a crafted .MVE file, which triggers an overflow in demuxers/demux_wc3movie.c; (5) a crafted .MKV file, which triggers an overflow in demuxers/ebml.c; or (6) a crafted .CAK file, which triggers an overflow in demuxers/demux_film.c.
Fedora FEDORA-2008-7572 xine-lib 2008-09-05
Ubuntu USN-635-1 xine-lib 2008-08-06
Gentoo 200808-01 xine-lib 2008-08-06
Mandriva MDVSA-2008:178 xine-lib 2008-08-20
Debian DSA-1586-1 xine-lib 2008-05-22
Fedora FEDORA-2008-2849 xine-lib 2008-04-08
Fedora FEDORA-2008-2945 xine-lib 2008-04-08
SuSE SUSE-SR:2008:008 wireshark, otrs, xine, xgl, silc-toolkit, lighttpd, tk 2008-04-04
Slackware SSA:2008-092-01 xine 2008-03-31

Comments (none posted)

Page editor: Jake Edge
Next page: Kernel development>>

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds